From owner-cvs-all@FreeBSD.ORG Thu Jun 10 00:04:35 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BC1F16A4CE; Thu, 10 Jun 2004 00:04:35 +0000 (GMT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83F6043D1D; Thu, 10 Jun 2004 00:04:35 +0000 (GMT) (envelope-from bmilekic@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.11/8.12.11) with ESMTP id i5A04RBV084806; Thu, 10 Jun 2004 00:04:27 GMT (envelope-from bmilekic@repoman.freebsd.org) Received: (from bmilekic@localhost) by repoman.freebsd.org (8.12.11/8.12.11/Submit) id i5A04RSt084805; Thu, 10 Jun 2004 00:04:27 GMT (envelope-from bmilekic) Message-Id: <200406100004.i5A04RSt084805@repoman.freebsd.org> From: Bosko Milekic Date: Thu, 10 Jun 2004 00:04:27 +0000 (UTC) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Subject: cvs commit: src/sys/kern uipc_mbuf.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jun 2004 00:04:35 -0000 bmilekic 2004-06-10 00:04:27 UTC FreeBSD src repository Modified files: sys/kern uipc_mbuf.c Log: Plug a race where upon free this scenario could occur: (time grows downward) thread 1 thread 2 ------------|------------ dec ref_cnt | | dec ref_cnt <-- ref_cnt now zero cmpset | free all | return | | alloc again,| reuse prev | ref_cnt | | cmpset, read | already freed | ref_cnt ------------|------------ This should fix that by performing only a single atomic test-and-set that will serve to decrement the ref_cnt, only if it hasn't changed since the earlier read, otherwise it'll loop and re-read. This forces ordering of decrements so that truly the thread which did the LAST decrement is the one that frees. This is how atomic-instruction-based refcnting should probably be handled. Submitted by: Julian Elischer Revision Changes Path 1.132 +30 -15 src/sys/kern/uipc_mbuf.c